Barriers to Passing Federal Breach Notification BillCongressional Hearing Highlights the Difficulties
Despite bipartisan rhetoric, comments from lawmakers and witnesses at a House hearing Jan. 27 illustrate why reaching a consensus on a national data breach notification law remains a challenge.
Remarks made at the hearing of the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade outlined three major obstacles Congress and President Obama must surmount to enact a national data breach notification law:
- Winning support for pre-emption, in which a federal law would supersede all or parts of the 47 state data breach notification statutes;
- Deciding whether evidence of harm to breach victims is needed before requiring companies to notify consumers, and defining the type of harm that would trigger notification; and
- Defining personally identifiable information that, if breached, would trigger notification.
"These issues have been on the table in previous years; perhaps this year, after all the breaches, there's enough momentum to get a compromise that will become law," Peter Swire, a Georgia Tech professor who served as chief counselor for privacy in the Clinton administration, said in a telephone interview after the hearing.
That's the aspiration of Subcommittee Chairman Michael Burgess, R-Texas, who says he believes bipartisan support for a national notification law is achievable. "We are seeking to find agreement not only between the two sides of the aisle, but also between stakeholders with divergent interests," Burgess said. "The sooner we understand the very most important principles, the smoother negotiations will go over the next couple months."
Business representatives testifying at the hearing agreed that a federal law must pre-empt the state laws because complying with 47 different state statutes is burdensome. "A federal standard cannot simply become a 48th standard that states can add their own requirements atop," testified Elizabeth Hyman, executive vice president for public advocacy at the technology trade group TechAmerica. "Overlaying more regulations on top of the existing patchwork of laws adds to the problem and does not help our companies protect consumers."
But consumer protection activists contend a national law that pre-empts state statutes could weaken protections that some states offer.
"Any national consumer privacy laws should be a floor, not a ceiling. States must be allowed to enact stronger measures," John Simpson, director of the privacy project at Consumer Watchdog, said earlier this month when President Obama outlined his data breach notification proposal (see Obama's Breach Notification Plan Lacks Specifics). "We're concerned that in an effort to achieve bipartisan action there is a real possibility of passing loophole-laden legislation that actually makes things worse."
Rep. Peter Welch, D-Vt., said at the hearing he was wary of pre-empting state breach notification laws, but he added that he might change his mind if such a bill contains strong consumer protections. "I've been persuaded that if we can get the right [consumer protections], this is one of those situations where it really makes sense to have pre-emption," Welch said.
What Is Harm?
Defining the right standard, however, is difficult. For example, if a law was to require businesses to notify consumers only if the data breach will cause them harm, how would it define harm? Often, it's defined as economic loss or identity theft. Business groups generally seek harm as a trigger for notification because otherwise, consumers would be deluged with breach notices.
"Inundating customers with notice of every systems penetration would create a perverse outcome where customers will be less likely to pay attention to breach notices or less likely to discern between breaches that may impact them and those that have no customer impact," Brian Dodge, executive vice president for strategic initiatives at the Retail Industry Leaders Association, told the subcommittee.
Another witness, Cumberland School of Law Associate Professor Woodrow Hartzog, argued that requiring harm to trigger notification is "dubious" because it's difficult to determine the damage disclosed information could eventually cause. For example, contact information exposed in a breach could pave the way for phishing attacks, which could lead to further breaches, he said.
"It's very difficult to draw a line of causation between a beach that occurred and likely harm that can occur some time in the future," said Hartzog, who's also an affiliate scholar at Stanford Law School's Center for Internet and Society. "Oftentimes, data gets flooded downstream, aggregated with other pieces of data, and it can be extremely difficult to meet the burden of proof that harm is actually likely in any one particular instance."
Defining Personally Identifiable Information
Besides defining harm, agreeing on a definition of personally identifiable information could prove to be an obstacle to get a national law enacted. For instance, Obama's data breach notification proposal would identify the combination of user name and password as personally identifiable information, something past legislative proposals did not include.
Dodge said a national law must provide a precise and targeted definition of personal information, which he sees as sensitive data that, if exposed, could place consumers in peril. "An overly broad definition that includes harmless or publicly available data will both detract from the effectiveness of the notice - over-notifying (consumers) - and chill the innovative use of data by the private sector," he said.
Can the three major obstacles be overcome to create compromise legislation that Congress can pass and the president sign?
"This is an issue crying out for a compromise," said Georgia Tech's Swire, who earlier in the Obama administration served as special assistant to the president for economic policy. "Each of these issues has in-between positions. We can have compromise on each one of these three issues or a package that trades some of them against the other. Drafting a compromise is not so hard; it's figuring where the balance of power lays and where the victory will be between the consumer advocates and the industry."
Vermont's Welch said the differences among lawmakers on data breach notification legislation isn't ideological but practical. "We have a common objective," he said. "The hope, I think for all of us, is to find some common-sense balancing of interests so at the end of the day we do protect consumers with data breach security, we give some reasonable certainty to our companies and we have a standard that's robust and strong."